Red Hat Single Sign-on Integration with Ansible Tower

As you might know, Red Hat Ansible Tower supports SAML authentication (both N and Z) by default. This document will guide you through the steps for configuring both products to delegate the authentication to RHSSO/Keycloak (Red Hat Single Sign-On).

Requirements:

A running RHSSO/Keycloak instance

Ansible Tower

Admin rights for both

DNS resolution

Hands-On Lab

Unless you have your own certificate already, the first step will be to create one. To do so, execute the following command:

Now we need to create the Ansible Tower Realm on the RHSSO platform. Go to the "Select Realm" drop-down and click on "Add new realm":

Once created, go to the "Keys" tab and delete all certificates, keys, etc. that were created by default.

Now that we have a clean realm, let's populate it with the appropriate information. Click on "Add Keystore" in the upper right corner and click on RSA:

Click on Save and create your Ansible Tower client information. It is recommend to start with the Tower configuration so that you can inject the metadata file and customize a few of the fields.

Log in as the admin user on Ansible Tower and go to "Settings > Configure Tower > Authentication > SAML". Here you will find many fields (two of them read-only), that give us the information necessary to make this work:

Assertion Consumer Service

Metadata URL for the Service Provider (this will return the configuration for your IDP)

Now let's fill all the required fields:

EntityID for SAML Service Provider: tower.usersys.redhat.com (must be the same on RHSSO as client_id name)

Recommended Steps and Things to Check

RHSSO is the chosen name, which can be whatever you want and is not tied to DNS or server configurations. This is simply a visual marker.

All the attr_ fields are required to work and will be mappers on the client that we will create on the next step.

Entity_id will point to your realm. Go to your RHSSO realm through WebUI and in “General” you will see "OpenID Endpoint Configuration". Just click and catch the "issuer" field to fulfill the entity_id.

“For url” is a fixed field; put your entity_id there, followed by /protocol/saml.

If you generated your cert/key in RHSSO, you will have them in one line. To convert to PEM format you can just wrap them in "-----BEGIN CERTIFICATE-----" etc. and use fold -w64 to split the single line.

RHSSO Client Configuration

Now that you've configured SAML on Ansible Tower save the changes and start with the RHSSO Client configuration.

First, log in as the admin user on the RHSSO platform and go to the "Tower" realm. From there, go to “Clients” and select “Create”. Click on “select file” to import the data that we already have on Ansible Tower (to get the configuration execute this command from your laptop: curl -L -k https://tower.usersys.redhat.com/sso/metadata/saml/). Modify the Client ID by pointing it to tower.usersys.redhat.com, then set the “Client Protocol” to SAML as displayed below:

Next, fix the configuration to fit the following screenshot:

The last step to take is to create the mappers on Tower's RHSSO client. The purpose of this is to define the information that comes from your RHSSO, which will be mapped against Ansible Tower users.

To do this, we must go to Mappers tab:

Displayed below are the necessary mappers:

The following screenshot shows proper configuration of user name, last name, email, user ID, and first name:

Note: "firstName" and "lastName" are case sensitive since they map the RHSSO user property.

Now you’re all set!

Let's test with a user that we already have on our RHSSO (we have RHSSO with a user federation against ldap.example.com). For testing purposes, you can create a user on "Manage > Users" if you wish.

Now go to the Ansible Tower login page and you should see “Sign in With S”:

Click on this "S" and you will be redirected to login on your RHSSO server:

And that's it!

Hope this was a helpful guide to Red Hat Single Sign-On integration with Ansible Tower!

Find out more about how Ansible Tower can help you scale IT automation, manage complex deployments and speed productivity or start your free trial.

Juan Manuel is a Solutions Engineer at Atomic Openshift team, Red Hat. Juan has been working in technology since 2007, starting with support position and later as a Release Engineer at Telefonica R&D. He is almost 4 years at Red Hat, Juan helps with system integrations between all Red Hat portfolio. He resides in Madrid, Spain with his wife and son. He can be found on Twitter as @kerbeross and @jparrill on Github.